b'\x0c                                          INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\nthe Railroad Retirement Board\xe2\x80\x99s (RRB) privacy program.\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct and the Railroad Unemployment Insurance Act. These programs provide income\nprotection during old age and in the event of disability, death, temporary unemployment\nor sickness. The RRB paid over $9.5 billion in benefits during fiscal year 2006.\n\nThe Privacy Act of 1974 (Privacy Act) addresses the government\xe2\x80\x99s obligation\nconcerning the privacy of records maintained on individuals. It establishes\nrequirements for the collection, maintenance, access, disclosure, and the accounting of\nrecords, as well as penalties and exemptions for all information about an individual that\nis maintained by the agency. Section 208 of the E-Government Act of 2002\n(E-Government Act) applies the Privacy Act requirements to electronic environments.\nPrimary components of the privacy provisions in the E-Government Act are privacy\nimpact assessments, and the establishment of privacy policies on agency websites and\nin machine-readable formats. 1\n\nThroughout the years, the Office of Management and Budget (OMB) has issued\nguidance agencies must follow in implementing their privacy program. This guidance\nincludes, but is not limited to, implementation of the Privacy and E-Government Acts,\ncomputer matching, periodic reviews, safeguards, privacy breaches/incidents, and\nreporting.\n\nThe mission of the RRB requires that it maintain detailed beneficiary records that\ninclude personal information. The agency reported a total of 35 systems of records in\nfiscal year 2006. 2\n\nIn fiscal year 2005, the RRB appointed a new Chief Privacy Officer to oversee the\nprivacy of beneficiary information. The Chief Privacy Officer reports to the Chief\nInformation Officer in the Bureau of Information Services. The RRB also established\ntwo new committees during fiscal year 2007 to aid in privacy-related matters: the\nSecurity and Privacy Committee and the Agency Core Response Group. The Security\nand Privacy Committee generally meets on a quarterly basis and is comprised of\nagency employee representatives responsible for assisting in the establishment of\n\n1\n  A privacy impact assessment is an analysis of how information is handled to ensure the handling\nconforms with legal, regulatory, and policy requirements regarding privacy. A privacy impact assessment\nis essentially a risk assessment of the practices involving privacy-related information.\n2\n  The Privacy Act defines a \xe2\x80\x9csystem of records\xe2\x80\x9d as any record from which information is retrieved by the\nname of the individual or by some identifying number, symbol, or other identifying particular assigned to\nthe individual.\n\n\n                                                    1\n\x0cpolicies, procedures, and training. The Agency Core Response Group is comprised\nprimarily of agency managers responsible for determining whether privacy breaches\npose identity theft problems.\n\nThis evaluation was conducted pursuant to Title III of the E-Government Act, the\nFederal Information Security Management Act of 2002 (FISMA). FISMA requires the\nRRB to conduct an annual evaluation of its information security program, including\nprivacy. OMB has requested that the Inspectors General perform reviews of agency\nefforts to protect sensitive information. This evaluation of the privacy program at the\nRRB supports the FISMA evaluation for fiscal year 2007.\n\n\nObjective, Scope and Methodology\n\nThe objective of this evaluation was to assess the adequacy of the RRB\xe2\x80\x99s privacy\nprogram. An adequate privacy program provides reasonable assurance that proper\nsafeguards are in place to ensure the security and confidentiality of records. Our work\nincluded an assessment of the legal and regulatory requirements, as well as the\nmanagement, operational, and technical controls, pertaining to the privacy program.\n\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   reviewed pertinent legal and regulatory requirements including, but not limited to, the\n    Privacy Act, the E-Government Act, FISMA, assorted OMB guidance listed in\n    Appendix I of this report, and National Institute of Standards and Technology (NIST)\n    Special Publication (SP) 800-53;\n\n\xe2\x80\xa2   obtained and reviewed RRB policies and procedures pertaining to the privacy\n    program;\n\n\xe2\x80\xa2   reviewed RRB privacy program practices, including systems of records; third party\n    disclosures; privacy impact assessments; privacy breaches; agency committees,\n    reviews, surveys, and reports; agency laptop inventory; data encryption and anti-\n    theft mechanisms; contract language; training; users (including contractors) with\n    access to agency systems; users (including contractors) with virtual private network\n    connections; and contractor certifications;\n\n\xe2\x80\xa2   obtained and reviewed the RRB\xe2\x80\x99s Plan of Action and Milestones (POAM), an OMB\n    designed tool for tracking remedial actions; and\n\n\xe2\x80\xa2   interviewed responsible management and staff.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois during October 2006 through April 2007.\n\n\n\n                                             2\n\x0c                                      RESULTS OF REVIEW\n\nThe RRB\xe2\x80\x99s privacy program is not fully effective in providing reasonable assurance that\nproper safeguards are in place to ensure the security and confidentiality of records.\nDuring our review, we noted that additional resources are needed to update policies and\nprocedures, provide job-specific training, and effectively analyze and react to the results\nof periodic reviews performed by the Chief Privacy Officer.\n\nWe also noted weaknesses in the evaluation of risk and privacy impacts, safeguards\nover remote access and data removal, contract language and applicable clauses,\ncontractor identification, identification and management of weaknesses, and explicit\npolicies and procedures over privacy-related issues.\n\nThe details of our findings and recommendations for corrective action follow.\nManagement has agreed to take the recommended corrective actions for all\nrecommendations except Recommendation 4 which was considered and declined, and\nRecommendation 15 which has only been partially agreed. The full texts of\nmanagement\xe2\x80\x99s responses are included in this report as Appendices II, III, and IV.\n\n\nResources are Needed for an Effective Privacy Program\n\nThe RRB has developed a privacy program designed to meet the requirements of the\nPrivacy Act, the E-Government Act, and OMB requirements; however, additional\nstaffing resources are needed to ensure the effectiveness of the program.\n\nThe Privacy Act, E-Government Act, and OMB guidance specifically require a privacy\nprogram that continually assesses the risks associated with handling personal\ninformation, and the implementation of safeguards to protect against those risks.\n\nWe found that many of the RRB\xe2\x80\x99s policies and procedures governing the privacy\nprogram are outdated and require revision to explicitly support legal and/or OMB\nrequirements. We also found that the RRB needs to provide job specific privacy-related\ntraining to many of their employees who have increased responsibilities for handling\npersonally identifiable information (PII). 3 Lastly, we found that the RRB needs\nadditional resources to effectively analyze the results of their periodic reviews, and to\ndevelop and implement appropriate action plans to address the weaknesses identified.\n\nThe RRB appointed a new Chief Privacy Officer in fiscal year 2005 and two new\ncommittees during fiscal year 2007 to aid in privacy-related matters. Although the\ncommittees will be able to assist the Chief Privacy Officer in privacy-related activities,\nthis assistance is supplemental to their regular job duties. Much of the above-\n\n3\n  Personally identifiable information is any information about an individual maintained by an agency which\ncan be used to distinguish or trace an individual\xe2\x80\x99s identity, such as their name, social security number,\ndate and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other personal\ninformation which is linked or linkable to an individual.\n\n\n                                                    3\n\x0cmentioned work will fall under the purview of the Security and Privacy Committee which\nis also tasked with assisting in the implementation of the RRB\xe2\x80\x99s security program. The\ncommittee\xe2\x80\x99s responsibilities include the resolution of existing significant deficiencies in\nrisk assessments and periodic testing and evaluations, including certification and\naccreditation.\n\nWithout additional, managed resources, the RRB will continue to experience delays in\nachieving an effective privacy program that is fully compliant with the Privacy Act, the\nE-Government Act, and OMB requirements.\n\nRecommendation\n\n    1. We recommend that the Bureau of Information Services acquire additional\n       staffing resources to aid in the implementation of the privacy program.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and will begin the\nprocess of adding an additional staff person.\n\n\nPrivacy Impact Assessments Need to be Prepared\n\nThe RRB is not preparing privacy impact assessments as required by the\nE-Government Act. A privacy impact assessment determines the risk and effects of\ncollecting, maintaining, and disseminating information in identifiable form while\nexamining and evaluating protections and alternate processes that can mitigate those\npotential risks. 4\n\nThe E-Government Act requires agencies to conduct a privacy impact assessment\nbefore developing or procuring an information technology system or project that\ncollects, maintains, or disseminates information in identifiable form, or before initiating a\nnew electronic collection of information in identifiable form, from or about members of\nthe public. Agencies are also required to make the privacy impact assessment publicly\navailable whenever practicable.\n\nOMB M-03-22 requires privacy impact assessments when new technologies are\nemployed; business processes change such as when databases are merged,\ncentralized, or matched with other databases; or when major system modifications\noccur such as when employing new relational database technologies.\n\n\n\n4\n  Information in identifiable form is information in a system or online collection that directly identifies an\nindividual (e.g., name, address, social security or other identifying number or code, etc.), or by which the\nagency intends to indirectly identify specific individuals in conjunction with other data elements such as\ngender, race, date of birth, geographic indicators, etc.\n\n\n                                                       4\n\x0cThe RRB began a major system modification involving the conversion to a relational\ndatabase technology in October 2005, but did not consider the impact of the new\nprivacy risks this project creates. For example, the conversion requirements/solicitation\npackage did not specify the safeguards required of the contractor\xe2\x80\x99s work environment in\nwhich most of the work is being performed. We also found that while the RRB attempts\nto ensure all contractors are aware of their responsibilities in safeguarding PII by\nobtaining written certifications on Form IRM-1, many of the contractors involved in the\ndatabase conversion had not been identified and certified by the Chief Privacy Officer.\nAll data used in testing of the database conversion is acquired from the existing\nproduction databases containing PII about RRB beneficiaries.\n\nThe RRB has not implemented procedures for the completion of privacy impact\nassessments early in the systems development life cycle. 5 Additionally, the RRB has\nnot provided privacy-related job-specific training to individuals responsible for systems\ndevelopment and/or contract administration. Although privacy issues are included in the\nRRB\xe2\x80\x99s general awareness training, the depth and breadth of this training is not sufficient\nto ensure they are adequately instructed about their responsibilities with respect to PII\nand the completion of privacy impact assessments.\n\nA lack of risk identification when new technologies, business processes, or major\nsystem modifications are planned subjects the agency to potential exposure or\ncompromise of PII and the resulting loss of assets. 6 For example, relational database\ntechnologies can create a more open environment and avenues for exposure of data\nthat previously did not exist. Agencies can avoid expensive re-work and retro-fitting\nwhen the appropriate management, operational, and technical safeguards to ensure the\nsecurity and confidentiality of records are considered before developing or procuring\nnew information technology.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n    2. implement procedures and guidelines for the completion of privacy impact\n       assessments; and\n\n    3. conduct job-specific training on privacy impact assessments to individuals with\n       responsibilities for performing those assessments.\n\n\n\n\n5\n  The Chief Privacy Officer and Security and Privacy Committee are in the process of developing\nprocedures and guidelines for the completion of privacy impact assessments, although no target dates for\nimplementation have been set.\n6\n  The resulting loss of assets can range from the use of additional resources to correct a pre-existing\nproblem, to the costs that may be incurred when a breach has taken place and the agency needs to\nremedy the harm caused by that breach.\n\n\n                                                   5\n\x0cManagement\xe2\x80\x99s Responses\n\nThe Bureau of Information Services concurs with the recommendations and will\nimplement privacy impact assessment templates and guidelines, and conduct training.\n\n\nSafeguards over Remote Access and Data Removal Need To Be Strengthened\n\nAdequate safeguards are not in place to ensure the confidentiality of PII when remotely\naccessed or removed from agency premises. During our evaluation we found three\nsituations where safeguards over PII need to be strengthened:\n\n    \xe2\x80\xa2   PII is being handled when working at home,\n    \xe2\x80\xa2   PII is accessed on agency laptops without encryption, and\n    \xe2\x80\xa2   PII on mainframe tapes is transported and stored off site without encryption.\n\nIn June 2006, OMB issued memorandum M-06-16 which contained guidance for\nsafeguarding PII that is accessed remotely or removed from agency premises. The\nguidance cites specific controls from the NIST SP 800-53 that agencies must comply\nwith to properly safeguard PII. The guidance also specifies other requirements,\nincluding encryption, when PII is transported outside of the secure agency location or is\nstored offsite. 7\n\nEmployees Working at Home\n\nPII is not safeguarded when accessed in a work-at-home situation because employees\nuse their own equipment, and the RRB is unable to control the configuration of the\nemployee\xe2\x80\x99s equipment to enforce the confidentiality of PII. In an effort to provide some\nsafeguards, the RRB has restricted certain job functions that regularly use PII from\nworking at home. However, a recent survey of 240 employees who do work at home\nrevealed some have used PII in work-at-home situations. 8\n\nIn response to OMB M-06-16, the RRB issued a Rules of Behavior policy which states\nthat RRB equipment should be used whenever possible for remote access.\nAdditionally, the Rules of Behavior policy requires any downloaded PII stored on a\nremote system to be encrypted. This policy is inconsistent with the Work-At-Home\npolicy which does not mention encryption. The Rules of Behavior policy is\nunenforceable regarding encryption because agency-owned laptops with encryption\n\n7\n  Other requirements include allowing remote access only with two-factor authentication, use of a time-out\nfunction, and logging and verification that sensitive data is erased when no longer needed. The agency\nwill address the requirement for two-factor authentication after they implement the personal identity\nverification project for Homeland Security Presidential Directive 12. The RRB complies with the time-out\nfunction, and reported in September 2006 that they do not have a plan to implement logging and data\nerasure verification. The agency has previously rejected other audit recommendations for a formal audit\nlog policy and the logging of user activity.\n8\n  As of February 15, 2007, the agency had a total of 451 employees and contractors with virtual private\nnetwork connections and the ability to access PII remotely.\n\n\n                                                    6\n\x0csoftware are not available for work-at-home employees. Additionally, a lack of\nunderstanding about how PII that is accessed remotely can be exposed or accessed by\nunauthorized individuals in a work-at-home situation may contribute to additional risks\nfor those employees who admitted to accessing PII at home.\n\nAgency Laptops\n\nIn September 2006, the RRB purchased 96 new laptops and 100 licenses for encryption\nsoftware. These purchases were made in order to secure PII in situations where\nemployees need to access and store PII remotely. Deploying laptops with this\nencryption software adds an extra layer of security and strengthens the safeguards over\nPII because the encryption is performed automatically without user intervention. The\nRRB intends to replace the agency\xe2\x80\x99s existing laptops with the newly purchased and\nencrypted laptops. However, as of March 9, 2007 the agency had only deployed six of\nthe newly purchased and encrypted laptops.\n\nThe agency\xe2\x80\x99s fixed asset inventory with respect to laptops was inaccurate and cannot\nsupport an analysis of whether all of the newly purchased laptops have been included,\nor whether the RRB purchased enough encryption licenses to support all agency-owned\nlaptops. 9\n\nThe RRB has not developed a formal deployment plan which considers the full\ninventory of laptops and the decommissioning of any laptop that does not have\nencryption software. In order to achieve full compliance with the encryption requirement\nin OMB M-06-16, the agency must ensure all laptops are encrypted. The Bureau of\nInformation Services also advised us that a lack of staffing resources has prevented a\nfast and orderly deployment of the newly purchased laptops. Additionally, we were told\nthat some of the agency\xe2\x80\x99s existing laptops are not compatible with the new encryption\nsoftware.\n\nMainframe Data Tapes\n\nThe RRB does not have the means to encrypt mainframe data tapes containing PII.\nThese tapes are transported to the Federal Records Center for storage. In order to\nproperly safeguard the information, the tapes should be encrypted prior to their\ntransport and storage. While other procedures are in place to protect data tapes during\ntransport out of the building and when stored at the Federal Records Center, OMB\nM-06-16 requires that the tapes be encrypted.\n\nThe RRB considered the purchase of encryption hardware/software for mainframe\ntapes at the end of fiscal year 2006. However, management was unable to identify a\ncompatible product that could be used in their information technology environment prior\nto fiscal year-end. Although the Bureau of Information Services has included mainframe\nencryption hardware/software in their fiscal year 2007 \xe2\x80\x9cNeeds List\xe2\x80\x9d, they have not yet\nrecommended a suitable product for purchase.\n9\n    Exploration of this asset management issue is outside the scope of this evaluation.\n\n\n                                                      7\n\x0cThe RRB has a fiduciary duty to protect personal information that has been entrusted to\nthem. Inadequate safeguards over PII increases the RRB\xe2\x80\x99s risk for exposure,\ncompromise, or loss of PII and can result in identity theft and/or other consequences for\nthe beneficiaries of the RRB\xe2\x80\x99s programs.\n\nRecommendations\n\n   4. We recommend that the Office of Administration revise the Work-at-Home policy\n      to ensure its consistency with the recently adopted Rules of Behavior policy.\n\nWe recommend that the Bureau of Information Services:\n\n   5. ensure all employees are assigned an agency owned laptop with encryption\n      software installed when they work at home;\n\n   6. develop a comprehensive plan for laptop deployment which addresses the\n      surplus and removal of old laptops that cannot be adequately encrypted;\n\n   7. identify, purchase, and install the necessary hardware/software for mainframe\n      data tape encryption and ensure its use on all mainframe data tapes transported\n      off site; and\n\n   8. provide privacy and security training to all employees who have remote access to\n      PII, or remove PII from the agency premises.\n\nManagement\xe2\x80\x99s Responses\n\nThe Office of Administration has considered and declined Recommendation 4, to revise\nthe Work-at-Home policy, because they believe a Standards of Conduct clause\ncontained within the Work-at-Home agreement sufficiently covers adherence to other\nagency policies released after the Work-at-Home policy was established.\n\nThe Bureau of Information Services concurs with the recommendations and will take\nactions to assign agency owned laptops, request the return of all old laptops, implement\ntape encryption, and will provide the required training.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG agrees that the Standards of Conduct clause should be sufficient to cover\npolicies released after the Work-at-Home policy was established. Therefore,\nRecommendation 4 will be closed without implementation.\n\n\n\n\n                                            8\n\x0cContracts Lack Privacy-Related Federal Acquisition Regulation Clauses and\nLanguage\n\nThe RRB is not consistently including privacy-related Federal Acquisition Regulation\n(FAR) clauses and language in their solicitations and contracts. In fiscal year 2006, the\nOffice of Administration reviewed the language of 11 contracts for privacy related FAR\nclauses and found that 4 (including the contract for the agency\xe2\x80\x99s database conversion\neffort) did not include the required clauses. Additionally, the Office of Administration did\nnot document their remedial action plans for noted deficiencies, as requested by the\nChief Privacy Officer.\n\nOur review of the contract file for the agency\xe2\x80\x99s database conversion effort showed that\nFAR language for privacy and security safeguards, including identification of the\napplicable system of records, was missing.\n\nThe FAR prescribes the insertion of three contract clauses pertaining to privacy. The\nPrivacy Act Notification, consisting of two FAR clauses (52.224-1 and 52.224-2), must\nbe included in solicitations and contracts when the contract activities include the design,\ndevelopment, or operation of a system of records, including the collection, use, and\ndissemination of records. The Privacy or Security Safeguards clause (52.239-1) must\nbe included when the contract activity includes information technology which requires\nsecurity, and/or is for the design, development, or operation of a system of records\nusing commercial information technology services or support services.\n\nThe FAR also prescribes specific language when the contract activity includes\ninformation technology, including:\n\n   \xe2\x80\xa2   agency rules of conduct that the contractor is required to follow;\n   \xe2\x80\xa2   a list of the anticipated threats and hazards that the contractor must guard\n       against;\n   \xe2\x80\xa2   a description of the safeguards that the contractor must provide; and\n   \xe2\x80\xa2   requirements for a program of Government inspection during contract\n       performance to ensure continued efficacy and efficiency of safeguards, and the\n       discovery and countering of new threats and hazards.\n\nThe agency has published an Administrative Circular (BSS-14) as guidance for the\nprocurement of goods and services; however, that circular does not specify FAR\nrequirements concerning privacy and security safeguards.\n\nPoorly articulated privacy and security safeguards in contracts increase the risk that the\nRRB will be exposed to legal ramifications if PII is inappropriately exposed,\ncompromised, or lost by contractor employees.\n\n\n\n\n                                             9\n\x0cRecommendations\n\nWe recommend that the Office of Administration:\n\n   9. revise Administrative Circular BSS-14, Procurement of Goods and Services, to\n      include consideration of the FAR requirements for privacy and security\n      safeguards when contracts are established; and\n\n   10. obtain contract modifications to include the privacy and information technology\n       related FAR clauses and language.\n\nManagement\xe2\x80\x99s Responses\n\nThe Office of Administration concurs with the recommendations and will initiate a\nrevision to Administrative Circular OA-14 (which supersedes Administrative Circular\nBSS-14) and will obtain contract modifications.\n\n\nUncertified Contractors Encounter Personally Identifiable Information\n\nContractor staff handling PII are not always identified and certified by the Chief Privacy\nOfficer prior to beginning work at the RRB. The RRB uses Form IRM-1 to document the\ncontractor\xe2\x80\x99s certification that they were notified of their responsibilities when handling\nPII, and agree to adhere with the RRB\xe2\x80\x99s privacy protections. Our review of contractor\nstaff that worked for the RRB, and had access to agency systems during fiscal years\n2006 and 2007, disclosed 19 who did not sign a certification form.\n\nThe Privacy Act requires individuals involved in the design, development, operation, or\nmaintenance of any system of records to be instructed regarding the rules of conduct\nand procedures adopted for the protection of the information involved. The Privacy Act\nalso holds all government contractors and their employees to the same degree of\ncompliance as any agency employee. The FAR clauses for privacy extend the\nprovisions of the Privacy Act to any subcontract awarded under the initial contract.\nForm IRM-1 clearly states the RRB\xe2\x80\x99s expectations of contractor responsibility when\nhandling PII. Contractor staff who may encounter PII must sign Form IRM-1 prior to\nbeginning work at the RRB to ensure the safeguards are understood.\n\nAdditionally, the agency provides every RRB employee who serves as a Contracting\nOfficer\xe2\x80\x99s Technical Representative an instructional letter describing their duties for\nensuring contractor performance for individual contracts. However, the instructional\nletter does not specify any privacy or security safeguard requirements such as advising\nthe Chief Privacy Officer whenever new contractor staff is assigned to the contract.\n\nThe Chief Privacy Officer is responsible for instructing each individual contractor\nemployee of their responsibilities with regard to PII and for obtaining their signed\ncertification via Form IRM-1. In this respect, the Chief Privacy Officer should be notified\n\n\n                                            10\n\x0cof all contractor staff, and decide whether a certification is necessary. Currently, there\nis no control in place that would ensure the Chief Privacy Officer has been notified of\nany new contractor staff assigned during the life of the contract.\n\nThe RRB has provided PII access to some contractors who have not certified that they\nwere instructed of their responsibilities for safeguarding the PII. As a result, the agency\nhas incurred increased risk that the personal information entrusted to them may be lost,\nexposed, or compromised by the contractor employees.\n\nRecommendations\n\nWe recommend that the Office of Administration:\n\n   11. develop procedures to ensure that the Chief Privacy Officer is informed of all\n       contractors who may handle PII prior to their beginning work at the RRB; and\n\n   12. revise the Contracting Officer\xe2\x80\x99s Technical Representative instructional letter for\n       privacy and security requirements, including informing the Chief Privacy Officer\n       of all contractor staff assigned to the contract.\n\nWe recommend that the Bureau of Information Services:\n\n   13. obtain Form IRM-1 from current, uncertified contractor staff handling PII; and\n\n   14. implement a control to ensure the Chief Privacy Officer has been informed of all\n       contractors and their assigned staff, thereby ensuring the proper contractor\n       certifications have been obtained.\n\nManagement\xe2\x80\x99s Responses\n\nThe Office of Administration concurs with the recommendations and agrees to advise\nthe Chief Privacy Officer of all contractors who may handle PII, and will review and\nrevise the Contracting Officer\xe2\x80\x99s Technical Representative instructional letter to include\nthe duty of informing the Chief Privacy Officer of contractor staff.\n\nThe Bureau of Information Services concurs with the recommendations and will obtain\nForm IRM-1 from current, uncertified contractor staff. The Bureau of Information\nServices will also propose a control for use by the Office of Administration to ensure\ncontinued contractor identification and certification.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nWhile the OIG acknowledges that coordination between the Office of Administration and\nthe Chief Privacy Officer is necessary to accomplish identification of contractor staff, the\nresponsibility for ensuring contractor certification lies solely with the Chief Privacy\nOfficer. As such, the OIG believes an effective process should include not only a\n\n\n                                            11\n\x0cprocedure by the Office of Administration to notify the Chief Privacy Officer of contractor\nstaff, but a control administered by the Chief Privacy Officer to ensure that procedure is\noperating and producing the desired results. We urge the Chief Privacy Officer to revisit\nher decision to place implementation of such a control beyond her purview, thereby\ndiminishing her effectiveness in fulfilling her responsibilities for obtaining contractor\ncertifications.\n\n\nPlan of Action and Milestones Does Not Include Privacy-Related Weaknesses\n\nThe RRB\xe2\x80\x99s Plan of Action and Milestones (POAM) does not reflect privacy-related\nweaknesses identified by the RRB in their fiscal year 2006 privacy reviews. 10\n\nOMB M-06-15 requested agencies to conduct reviews of their privacy-related policies\nand processes, and to take corrective action as appropriate. OMB also requested\nagencies to include any weaknesses identified in the existing security POAM required\nby FISMA. The Bureau of Information Services maintains the POAM and provides\nOMB with quarterly updates of corrective actions.\n\nIn September 2006, the Chief Privacy Officer reported four areas requiring improvement\nthat were identified in the RRB\xe2\x80\x99s review for OMB M-06-15. 11 Our review of the RRB\xe2\x80\x99s\nPOAMs as of September 2006 and March 2007, show that the above mentioned areas\nfor improvement are not included; however, other required privacy-related reporting was\npresent. When we questioned the Chief Privacy Officer in December 2006 regarding\nthe omission of privacy-related weaknesses in the POAM, she said it did not occur to\nher to use the POAM and that she was not familiar with how the POAM was updated.\nShe also indicated that resource constraints were keeping her from the in-depth\nanalysis needed to determine what tasks were required to correct the weaknesses.\n\nBy not using the POAM as the effective tool it is meant to be, the RRB cannot provide\nreasonable assurance that proper safeguards are in place because weaknesses are not\nidentified and managed efficiently.\n\nRecommendation\n\n     15. We recommend that the Bureau of Information Services develop appropriate\n         action plans and update the POAM for all privacy-related weaknesses.\n\n\n10\n   The OIG has cited the agency for an inadequate POAM in FISMA reviews since fiscal year 2003. The\nagency originally rejected the OIG\xe2\x80\x99s recommendation regarding the POAM in fiscal year 2003 (Audit\nReport No. 03-11, #1), but agreed to a recommendation made in fiscal year 2005 (Audit Report No.\n05-11, #3). That recommendation is still pending.\n11\n   The Chief Privacy Officer cited the need for improvement in 1) privacy-related guidelines and training\nfor remote users, 2) language in computer matching agreements, 3) privacy-related guidelines and\ntraining for contract officials and contractors, as well as language in contracts and memoranda of\nunderstanding, and 4) reviews of applications for access controls. Our current evaluation also reflects\nsome of these weaknesses.\n\n\n                                                   12\n\x0cManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services partially concurs with the recommendation and will\ninclude significant privacy related weaknesses in the POAM.\n\n\nPolicies and Procedures Should Explicitly Address Personally Identifiable\nInformation\n\nMany existing RRB policies and procedures require revision to explicitly include privacy-\nrelated issues and safeguards for PII. New procedures are also needed. For example,\nexplicit policy and procedures on safeguarding PII during remote access or physical\nremoval of data from the agency environment are not documented. Our review\ndisclosed the following policies and procedures that require revision or development.\n\n     \xe2\x80\xa2   Administrative Circular IRM-2. This document addresses the Privacy Act and the\n         Freedom of Information Act but needs to be updated for recent OMB guidance.\n         This document is currently undergoing revision.\n     \xe2\x80\xa2   Administrative Circular IRM-5. This document is out of date concerning the\n         destruction of sensitive information because it does not address all situations and\n         methods in which sensitive information should be destroyed subsequent to\n         remote access and storage on external devices.\n     \xe2\x80\xa2   Field Operating Manual I. This manual contains instructions for employees in the\n         Office of Programs for completing Form G-671. The instructions for completing\n         this form are vague, and do not ensure that the form will contain the necessary\n         information for the RRB\xe2\x80\x99s periodic review of routine use disclosures. 12\n     \xe2\x80\xa2   Personal Digital Assistant policy. This document is out of date and does not\n         address PII safeguards.\n     \xe2\x80\xa2   Laptop Loan policy. This document is out of date and does not address PII\n         safeguards.\n     \xe2\x80\xa2   No formal, documented policies and/or procedures were found to explain the\n         scope and capabilities of the RRB\xe2\x80\x99s monitoring, analysis, and reporting of data\n         extracts containing sensitive information.\n     \xe2\x80\xa2   No formal, documented procedures were found to explain risk assessment\n         updates and the criteria specifying the significant changes that prompt a risk\n         assessment update.\n\n\n\n12\n  The term \xe2\x80\x9croutine use\xe2\x80\x9d means, with respect to the disclosure of a record, the use of such record for a\npurpose which is compatible with the purpose for which the record was collected. Each system of records\nspecifies the routine use disclosures that are allowed for that system of records. The RRB uses Form\nG-671 to document disclosures made to third parties, which are governed by the record\xe2\x80\x99s routine use. As\na result, Form G-671 is a primary source of information needed for the review of routine use disclosures.\n\n\n                                                  13\n\x0cOMB M-06-16 contains guidance for agencies to implement regarding sensitive\ninformation accessed remotely or removed from the agency. The guidance cites\nspecific controls from the NIST SP 800-53, including formal, documented policies and\nprocedures.\n\nThe Privacy Act defines routine use, conditions of disclosure, and the expected\naccounting of certain disclosures. OMB Circular A-130, Appendix I requires agencies to\nreview their routine use disclosures every four years to ensure compatibility with the\npurpose for which the information was collected/disclosed. Our non-statistical review of\nseveral Form G-671s completed in January 2006 showed they did not always contain\nthe information necessary to complete the routine use review required by OMB Circular\nA-130, Appendix I.\n\nAlthough the Chief Privacy Officer has recognized that many of these policies and\nprocedures require updates, the current lack of resources applied to the privacy\nprogram has adversely affected timely implementation.\n\nWell documented and formulated policies and procedures help to ensure an effective\nprogram because they advise employees of management\xe2\x80\x99s expectations in a reliable\nand consistent manner. Without well documented and formulated privacy-related\npolicies and procedures, the RRB\xe2\x80\x99s privacy program cannot provide reasonable\nassurance that PII will be safeguarded.\n\nRecommendations\n\n   16. We recommend that the Bureau of Information Services update the policies and\n       procedures for Administrative Circular IRM-2, Administrative Circular IRM-5,\n       Personal Digital Assistants, Laptop Loans, audit scope and capabilities, and risk\n       assessment updates.\n\n   17. We recommend that the Office of Programs revise the instructions for Form\n       G-671 in the Field Operating Manual I.\n\nManagement\xe2\x80\x99s Responses\n\nThe Bureau of Information Services concurs with the recommendation and will update\nthe above-mentioned documents.\n\nThe Office of Programs concurs with the recommendation and will revise the\ninstructions for Form G-671.\n\n\n\n\n                                           14\n\x0c                                                                            Appendix I\n\n                                List of OMB Guidance\n\n\n\nOMB Circular A-130, Appendix I, \xe2\x80\x9cManagement of Federal Information Resources,\nFederal Agency Responsibilities for Maintaining Records About Individuals,\xe2\x80\x9d\nNovember 28, 2000.\n\nOMB M-03-22, \xe2\x80\x9cOMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act of 2002,\xe2\x80\x9d September 26, 2003.\n\nOMB M-05-08, \xe2\x80\x9cDesignation of Senior Agency Officials for Privacy,\xe2\x80\x9d February 11, 2005.\n\nOMB M-06-15, \xe2\x80\x9cSafeguarding Personally Identifiable Information,\xe2\x80\x9d May 22, 2006.\n\nOMB M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information,\xe2\x80\x9d June 23, 2006.\n\nOMB M-06-19, \xe2\x80\x9cReporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments,\xe2\x80\x9d\nJuly 12, 2006.\n\nOMB M-06-20, \xe2\x80\x9cFY 2006 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d July 17, 2006.\n\nOMB M-07-04, \xe2\x80\x9cUse of Commercial Credit Monitoring Services Blanket Purchase\nAgreements,\xe2\x80\x9d December 22, 2006.\n\n\n\n\n                                          15\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c'